PIX and ASA VPN question

Answered Question
Dec 18th, 2007


I have a remote user logging into a PIX506E through Microsoft Windows PPTP client. And once on VPN, he is not able to access his Internet. I believe it is a characteristic of software VPN but is there anyway he can browse the Internet changing routing tables etc or which way is best to go with?

As an alternative, if I use ASA unit, I know this doesnt support PPTP and wanted to know if there is another way to go with other than using Cisco VPN client.

Typically, I would like to use PIX506E without additional VPN client and able to browse the Internet if possible.

Please advise

I have this problem too.
0 votes
Correct Answer by bob.bartlett about 8 years 10 months ago

Ok 2 things one, yes you are correct that you need an ACL for your Remote clients but that is a standard access list like the one above. Secondly you do need to add the remote VPN IP space to your existing nonat access list. DO NOT remove your others just add the IP space you are using for your VPN clients. example below

access-list nonat permit ip (Internal addresss space) (VPN client DHCP address space)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.8 (5 ratings)
Richard Burts Tue, 12/18/2007 - 13:46

What version of code is the PIX running. In PIX code up through 6.3.5 one of the characteristics of the PIX is that it will not forward traffic out the interface on which it was received. The result of this is that a user who connects via VPN and comes in through the outside/public interface can not be forwarded back out the outside/public interface to access the Internet.

In release 7 and later Cisco introduced an optional feature which allows the PIX to forward back out the same interface. So if the PIX is currently running earlier than 7 code the behavior that you are experiencing is expected behavior. If you upgrade to version 7 code you may be able to get around this.



techtips03 Wed, 12/19/2007 - 07:26

Hi Rick

Thanks for the response. But I dont think PIX506E doesnt support 7.0 version.

Any other ideas on this or should I go for L2TP or through Cisco VPN client and configure split tunneling?


hwknight53 Wed, 12/19/2007 - 08:08

You're right. The 506E doesn't support v7. We use the Cisco Client with split tunneling.


techtips03 Wed, 12/19/2007 - 12:33

Yes, I tried PPTP configuration with unchecking the default gateway. I guess I was able to browse but definitely not able to do anything on VPN. So it seems that either one of them only work.

And if I want to go for split tunneling, I should definitely use Cisco VPN client right?

Just to add I already have a VPN tunnel between 2 locations and will have to give remote access to the users from home.

And is this link good enough to follow.


hwknight53 Thu, 12/20/2007 - 03:47

The problem with just unchecking the Default Gateway box is that the client maybe confused about which traffic should go through the VPN and which traffic should not. In the example that you referenced, the command "vpngroup vpn3000 split-tunnel 101" uses access list 101 to define which traffic should travel over the VPN.

You don't have to use the Cisco client. There are other ones out there that will split tunnel. It just that the Cisco client is what I/we know.


techtips03 Thu, 12/20/2007 - 08:20

Hi Wes

Thanks for your response. So I understand that I have to go for any VPN client and configure Split tunnel on PIX/ASA units. I would probably go for Cisco VPN client instead of others.

As I mentioned that I have a site-site VPN as well along with remote client VPN. Can you please confirm if this config works.

techtips03 Thu, 12/20/2007 - 09:15

Here is the config below. I already have site-site config as below and works fine.

access-list nonat permit ip

access-list 102 permit ip

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map VPN 1 ipsec-isakmp

crypto map VPN 1 match address 102

crypto map VPN 1 set pfs

crypto map VPN 1 set peer x.x.x.x

crypto map VPN 1 set transform-set myset

crypto map VPN interface outside

isakmp enable outside

isakmp key ******* address x.x.x.x netmask no-xauth

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 1

isakmp policy 1 lifetime 3200

Can you please confirm adding below config for remote VPN works well along with site-site VPN.

ip local pool vpn-clients

access-list nonat permit ip

vpngroup vpn3000 split-tunnel nonat

crypto dynamic-map dynmap 1 set transform-set myset

crypto map VPN 20 ipsec-isakmp dynamic dynmap

vpngroup vpn3000 address-pool ippool

vpngroup vpn3000 dns-server

vpngroup vpn3000 wins-server

vpngroup vpn3000 default-domain cisco.com

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

Couple of questions here

As I am using acl 'nonat' for both site-site and remote VPN and using the same acl for split tunnel, does nonat acl conflict with site-site command

access-list nonat permit ip

And can I just use group1 and sha (hash) for remote VPN client? I see some docs show that I should only use group2.

hwknight53 Fri, 12/21/2007 - 04:10

Yes, it conflicts. Name the acl "access-list nonat permit ip " to something else.

You can use which ever DH group you want as long as both ends support it. Some of the Cisco clients and devices don't support DH group1. I think that's what you're seeing in the docs.

I'll only check in once more today and then it's home for the holidays. Good luck and have a great Christmas.


Please rate the posts if they are helpful.

techtips03 Fri, 12/21/2007 - 06:49

Thank you. I thought it would create a problem and I dont understand something here. As both site-site and remote VPN need nat 0 command, I belive PIX/ASA accepts only 1 nat0 command and if I add the second one, I remember the first one is deleted.

access-list nonat permit ip - site-site

access-list 100 permit ip - remote

global (outside) 1 interface

nat (inside) 1

nat (inside) 0 access-list nonat - site-site

nat (inside) 0 access-list 100 - remote and I guess I cant add this? So where do I apply acl 100 for nat 0 command

vpngroup vpn3000 split-tunnel 100

Do you have this setup in place? If so can you please send me the sample config. I dont think I need an outage to have this in place right?

And if I use ASA, "same security intra-interface" add any benefit?


acomiskey Fri, 12/21/2007 - 06:52

You only need to have 1 nat 0 acl. As you found out you can't add another.

techtips03 Fri, 12/21/2007 - 09:25

Then I dont think it works for VPN group to access Internet when connected to VPN

hwknight53 Fri, 12/21/2007 - 10:28

I shouldn't try to answer questions when I'm in a hurry. Sorry.

I can't get to our equipment know, so this is off the top of my head. You are right. Only one nat0 is allowed. Rename the second nonat acl. So it should look like:

access-list vpn permit ip

vpngroup vpn3000 split-tunnel vpn


techtips03 Wed, 12/26/2007 - 10:00

Thanks all for your replies. I hope everyone had a great Christmas!

From all the above replies, I understand that I do not need "nat (inside) 0 access-list ---" command for remote client VPN config and I just need "nat (inside) 0 access-list nonat" (only for my site-site VPN). So how are we telling the ASA to avoid NAT on IPSEC packets for remote clients?

I am following this ink below which is an example for only remote client VPN access and I see these commands in place "nat (inside) 0 access-list 101" & "access-list 101 permit ip" which tells that NAT is avoided for IPSEC packets for remote clients


Did I understood right? I will be configuring this in the first week of New year and will rate all the posts.

Thanks for all your time. You guys are of great help as always.

Correct Answer
bob.bartlett Sat, 12/29/2007 - 08:29

Ok 2 things one, yes you are correct that you need an ACL for your Remote clients but that is a standard access list like the one above. Secondly you do need to add the remote VPN IP space to your existing nonat access list. DO NOT remove your others just add the IP space you are using for your VPN clients. example below

access-list nonat permit ip (Internal addresss space) (VPN client DHCP address space)

techtips03 Tue, 03/18/2008 - 07:37

That is right. I got this configured and I came to know that I need to add

access-list nonat permit ip

VPN works and also have access to Internet and also PPTP works


This Discussion